Cyber Security in Real-Time Systems Transport Security Event – Olympia “Advanced Persistent and Insider Threats” David Spinks – Chairman CSIRSSeptember 2011 CSIRS Cyber Security in Real-Time Systems
Introduction CSIRS Cyber Security in Real-Time Systems
CSIRS Cyber Security in Real-Time SystemsLinkedin CSIRS : http://www.linkedin.com/groupRegistration?gid=3623430
Why me? CSIRS Cyber Security in Real-Time Systems
1990 - 2000 Railtrack Safety Critical Software Sizewell B Software Emergency Shut Down code validationUK Governmentassessment of EmbeddedSoftware Aviation
Current Business Environments & Drivers CSIRS Cyber Security in Real-Time Systems
Smart Grid Emerging Changing Cost Reduction by Threat Profile Private UtilitiesIntegration Real Time Real Time (SCADA)<> Commercial IT based on Windows Use of wireless to Real Time designed effect remote by “engineers” management
ThreatsCurrent Trends CSIRS Cyber Security in Real-Time Systems
Stuxnet Changed Everything Expertise Focused Gather Intelligence Social Engineering The first advanced persistent threat APT
Why is APT different?Multiple entry points across supplier chainFocus on social engineering and use of insiders.Gathering of intelligence across a range of suppliers.Attack has a complex event sequence across multiple technologies.Malware is sophisticated and likely developed and proved on test beds.
Do not to place in designs of Nuclear Plant in the public domain! http://www.prleap.com/pr/167858/ eXtremeDB Embedded In-Memory Database Adds Safety and Efficiency In Nuclear Waste Processing Control System
So have there been any other APTs since Stuxnet?Many successful security attacks have been designated as APT by thecompany that has been breached.Closest to this model is the RSA breach entry via EMC and staff beingexposed to Phishing attacks lack of RSA CSO ......Farthest away is repeated breaches suffered by Sony ....Many organisations have a history of under investment in InformationSecurity ....
Insider Threats CSIRS Cyber Security in Real-Time Systems
What is an insider threat?A breach or part of an attack executed from within the existingtrust domain(s) by an individual who has some kind of existingauthenticationsThe breach event may be deliberate or accidental. Theindividual may be a current or past employee, contractor,customer, partner or supplier.The individual will have a “motive” which may or may not belogical.Many insider threats will be trivial actions that form anintelligence gathering exercise CSIRS Cyber Security in Real-Time Systems
Why is an insider threat so dangerous?Immediate compromise of traditional security perimeter!Traditional baseline security measures are ineffectiveTraditional concepts of “trust” are invalid - many frauds andthefts are executed with the assistance of employees andexecutives! No-one is immune to potential compromise.Pilot studies using DLP software and tools show a staggeringhigh number of deliberate security breaches executed by ahigh % of all staff. Ignorance of policy ... Finding waysaround the rules. Stupidity! CSIRS Cyber Security in Real-Time Systems
Possible defence and detectionSecurity training and awarenessCommunication and Implementation of penalties.Concept of “you will be caught” and example will be made.Security cultureEvaluation of suppliers and partners (supply chain!)Use of DLP and Log AnalysisGood HR policies and procedures monitoring behaviours CSIRS Cyber Security in Real-Time Systems
What actions do we need to consider? CSIRS Cyber Security in Real-Time Systems
Possible Cyber Security SolutionUnderstanding Implementation of baseline security Design Solution ISO 27001 CobiT 4.1/5.0 ImplementImplementation of APT Manage & Improvedetection and response
Implementation of baseline security examples Robust Identity Management solutions RBAC Basic log collection, analysis and reporting Intrusion detection and prevention Penetration testing of external facing firewalls Security training and awareness (defending social engineering and phishing) Encryption of critical and sensitive dataMandatory no exceptions executive led will not detect or mitigate APT
Advanced security measures :PKI/Digital signatures and key managementData loss prevention proactive and reactive.Integrated approach to log analysis (applications and IdM) real-time alerts to SOCApplications and web hosting code analysisGovernance, Risk and Compliance in real-timeSecurity incident and near miss reporting. Mandatory no exceptions executive led.
Conclusions :APTs are very difficult to detect and once detected tothen defend againstExpenditure on security processes and tools needs to beincreasedSecurity should be implemented top down withexecutive sponsorship.All employees are part of the defence silver bullets willnot work.
Thank you Q&Adavid.email@example.com@gmail.com CSIRS Cyber Security in Real-Time Systems